If Google is aware of a Zero Day, it is shortening the amount of time it gives to makers of vulnerable software and web services if it feels there is imminent danger to seven days from the previous 60 days.
The Google security team said if they encounter a Zero Day already actively used for cyber attacks, it will grant the affected manufacturer seven days to fix the vulnerabilities or publish an advisory with mitigation strategies for users.
After seven days, Google wants to publish details of the vulnerability in such a way that users of the vulnerable software can protect themselves from attacks. Previously, the company had given vendors sixty days before it went public with details of vulnerabilities.
Google said, though, it has found Zero Day vulnerabilities used to target a limited subset of people and this targeting makes the attack more serious than a widespread attack and more important to resolve quickly, especially where political activists end up compromised and the attacks can have “real safety implications” in some parts of the world.
Even Google said the seven day period is an “aggressive time frame” but it should offer sufficient time for a vendor to either publish advice on how to temporarily disable a service, restrict access or offer contact information to provide more direct assistance.
“Each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised” Google said, adding it also plans to hold itself to the same standard and hopefully improve the coordination of web security and vulnerability management.